Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I reference lookup table with a field that have dynamic value?

LeeZeeYuen
New Member
‎01-18-2018 11:07 PM

I have a field value for IP address in the lookup dataset but the IP address from real logs are dynamic and constantly changing.

Tags (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎01-22-2018 01:16 AM

Not sure how that comment relates to the original question (which was about dynamic IP addresses), but I see a few options to deal with getting multiple matches from your lookup:

  1. Configure the lookup with a max. matches setting of 1 (but you may want to check whether that gives the desired match)
  2. Use some additional commands to reduce the multi valued severity_level field to a single value field.
  3. add more key fields to the lookup, to get a unique match
0 Karma
Reply

LeeZeeYuen
New Member
‎01-22-2018 01:27 AM

Haha sorry for the confusing questions. Thanks for the answer anyway I will try it out now!

0 Karma
Reply

LeeZeeYuen
New Member
‎01-21-2018 04:08 PM

This is the sample dataset I have for my lookup`
alt text

I am trying to use the lookup dataset to output the siem_severity field. The commands are as shown below
alt text

However, as you can see there are events with two output-ed "severity_level". I want an events to only display one level of severity

Preview file
34 KB
Preview file
60 KB
0 Karma
Reply

horsefez
Motivator
‎01-19-2018 05:09 AM

Hi LeeZeeYuen,
just give us a bit more description so we are able to help you.

Maybe some screenshots or example events.

Thanks!

0 Karma
Reply

LeeZeeYuen
New Member
‎01-21-2018 04:16 PM

This is the dataset that I am currently using
link text

I need to use the dataset for lookup to output the field "siem_severity". The command used are shown below
link text

However, using this command will cause certain events to have two "severity_level" value
link text

I need to find a solution to only display one "severity_level" value.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...